Zero-Day IE 7 Flaw Discovered

Though Microsoft on
Tuesday closed the books on its 2008 patch rollout cycle, it once again has
to contend with "Exploit Wednesday." This time, the problem is a zero-day Internet Explorer 7 flaw discovered Wednesday by
Bojan Zdrnja, a security analyst and researcher at the SANS Internet Storm
Center.

Found in the wild a day after Microsoft released an IE patch addressing four
separately reported private vulnerabilities, the bug creates an Extensible
Markup Language (XML) tag then deliberately delays its process for 6 seconds -- presumably, Zdrnja said, "to thwart automatic crawlers by anti-virus vendors."

According to Zdrnja, the exploit could crash the browser if
successful. This would force a restart that would allow malicious code to
piggyback on the Web page code when the browser is reopened after reboot.

However, the researcher said only those using IE 7 and running Windows XP or
Windows Server 2003 are affected by the bug.

For its part, Microsoft said in an e-mailed statement that it is
"investigating new public claims of a possible vulnerability in Internet
Explorer" without mentioning this exploit in particular. Microsoft continued
that when it concludes its investigation, it will take action that "may include
providing a security update through the monthly release process, an
out-of-cycle update, or additional guidance to help customers protect
themselves." It is also encouraging anyone who might be affected to get assistance online or call Redmond's PC Safety hotline
at (866) PC-SAFETY.

According to Tyler Reguly, a security engineer for nCircle, "The release of
zero-day exploits, including this one, continues to reinforce the importance of
practicing safe browsing and, to a larger extent, safe computing."

As for the notion that the growth of "Exploit Wednesdays" may prompt
Microsoft to reconfigure its patch release frequency to respond more rapidly to
wild exploits in an increasingly real-time environment, security experts agree
that such a pursuit would be in vain. Neither Microsoft nor any other company
can realistically develop a patch for a single processing environment; rather,
it needs to test various scenarios and software configurations.

"I don't believe the patch process can become more frequent than it is today
and still provide the same level of quality," said Eric Schultze, chief
technology officer of Shavlik Technologies. "In my former life working at
Microsoft in the Security Response Unit, I saw Microsoft attempt to create and
release patches quickly. Sometimes this leads to quality issues. In one
instance, Microsoft released an Exchange Server patch four times within one
day. They tried to rush out the patch and got burned by it."

Some have suggested a more public beta program for Microsoft patches -- a
"no-support, use-at-your-own-risk" sign-up so people can download patches prior
to or during the the quality assurance and testing phases. "This would allow
users to test patches on their environment and make their own decision to use
them," nCircle's Reguly said. "You would still have the standard monthly patch
release, but it provides a nice middle ground for those that want something
faster."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Microsoft is planning to activate "Insights for MyAnalytics" sometime late this month for most Office 365 users, but the ability of organizations to manage this feature won't be available until possibly mid-May.